$OpenBSD: patch-i3lock_c,v 1.1.1.1 2017/04/15 12:53:02 jasper Exp $

Add bsd_auth(3) support.

--- i3lock.c.orig	Sun Mar 26 15:01:23 2017
+++ i3lock.c	Fri Apr 14 19:42:14 2017
@@ -18,7 +18,12 @@
 #include <xcb/xkb.h>
 #include <err.h>
 #include <assert.h>
+#ifdef USE_BSDAUTH
+#include <login_cap.h>
+#include <bsd_auth.h>
+#else
 #include <security/pam_appl.h>
+#endif
 #include <getopt.h>
 #include <string.h>
 #include <ev.h>
@@ -29,6 +34,9 @@
 #include <cairo.h>
 #include <cairo/cairo-xcb.h>
 
+#ifdef __OpenBSD__
+#include <strings.h> /* explicit_bzero(3) */
+#endif
 #include "i3lock.h"
 #include "xcb.h"
 #include "cursors.h"
@@ -49,7 +57,9 @@ char color[7] = "ffffff";
 uint32_t last_resolution[2];
 xcb_window_t win;
 static xcb_cursor_t cursor;
+#ifndef USE_BSDAUTH
 static pam_handle_t *pam_handle;
+#endif /* !USE_BSDAUTH */
 int input_position = 0;
 /* Holds the password you enter (in UTF-8). */
 static char password[512];
@@ -59,11 +69,11 @@ bool unlock_indicator = true;
 char *modifier_string = NULL;
 static bool dont_fork = false;
 struct ev_loop *main_loop;
-static struct ev_timer *clear_pam_wrong_timeout;
+static struct ev_timer *clear_auth_wrong_timeout;
 static struct ev_timer *clear_indicator_timeout;
 static struct ev_timer *discard_passwd_timeout;
 extern unlock_state_t unlock_state;
-extern pam_state_t pam_state;
+extern auth_state_t auth_state;
 int failed_attempts = 0;
 bool show_failed_attempts = false;
 bool retry_verification = false;
@@ -158,6 +168,9 @@ static bool load_compose_table(const char *locale) {
  *
  */
 static void clear_password_memory(void) {
+#ifdef __OpenBSD__
+    explicit_bzero(password, strlen(password));
+#else
     /* A volatile pointer to the password buffer to prevent the compiler from
      * optimizing this out. */
     volatile char *vpassword = password;
@@ -167,6 +180,7 @@ static void clear_password_memory(void) {
          * compiler from optimizing the calls away, since the value of 'beep'
          * is not known at compile-time. */
         vpassword[c] = c + (int)beep;
+#endif
 }
 
 ev_timer *start_timer(ev_timer *timer_obj, ev_tstamp timeout, ev_callback_t callback) {
@@ -206,13 +220,13 @@ static void finish_input(void) {
 }
 
 /*
- * Resets pam_state to STATE_PAM_IDLE 2 seconds after an unsuccessful
+ * Resets auth_state to STATE_AUTH_IDLE 2 seconds after an unsuccessful
  * authentication event.
  *
  */
 static void clear_pam_wrong(EV_P_ ev_timer *w, int revents) {
     DEBUG("clearing pam wrong\n");
-    pam_state = STATE_PAM_IDLE;
+    auth_state = STATE_AUTH_IDLE;
     redraw_screen();
 
     /* Clear modifier string. */
@@ -222,7 +236,7 @@ static void clear_pam_wrong(EV_P_ ev_timer *w, int rev
     }
 
     /* Now free this timeout. */
-    STOP_TIMER(clear_pam_wrong_timeout);
+    STOP_TIMER(clear_auth_wrong_timeout);
 
     /* retry with input done during pam verification */
     if (retry_verification) {
@@ -248,11 +262,24 @@ static void discard_passwd_cb(EV_P_ ev_timer *w, int r
 }
 
 static void input_done(void) {
-    STOP_TIMER(clear_pam_wrong_timeout);
-    pam_state = STATE_PAM_VERIFY;
+    STOP_TIMER(clear_auth_wrong_timeout);
+    auth_state = STATE_AUTH_VERIFY;
     unlock_state = STATE_STARTED;
     redraw_screen();
 
+#ifdef USE_BSDAUTH
+    struct passwd *pw;
+
+    if (!(pw = getpwuid(getuid())))
+	    errx(1, "unknown uid %u.", getuid());
+
+    if (auth_userokay(pw->pw_name, NULL, NULL, password) != 0) {
+        DEBUG("successfully authenticated\n");
+        clear_password_memory();
+
+	exit(0);
+    }
+#else
     if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) {
         DEBUG("successfully authenticated\n");
         clear_password_memory();
@@ -266,12 +293,13 @@ static void input_done(void) {
 
         exit(0);
     }
+#endif
 
     if (debug_mode)
         fprintf(stderr, "Authentication failure\n");
 
     /* Get state of Caps and Num lock modifiers, to be displayed in
-     * STATE_PAM_WRONG state */
+     * STATE_AUTH_WRONG state */
     xkb_mod_index_t idx, num_mods;
     const char *mod_name;
 
@@ -305,7 +333,7 @@ static void input_done(void) {
         }
     }
 
-    pam_state = STATE_PAM_WRONG;
+    auth_state = STATE_AUTH_WRONG;
     failed_attempts += 1;
     clear_input();
     if (unlock_indicator)
@@ -314,7 +342,7 @@ static void input_done(void) {
     /* Clear this state after 2 seconds (unless the user enters another
      * password during that time). */
     ev_now_update(main_loop);
-    START_TIMER(clear_pam_wrong_timeout, TSTAMP_N_SECS(2), clear_pam_wrong);
+    START_TIMER(clear_auth_wrong_timeout, TSTAMP_N_SECS(2), clear_pam_wrong);
 
     /* Cancel the clear_indicator_timeout, it would hide the unlock indicator
      * too early. */
@@ -393,7 +421,7 @@ static void handle_key_press(xcb_key_press_event_t *ev
             if ((ksym == XKB_KEY_j || ksym == XKB_KEY_m) && !ctrl)
                 break;
 
-            if (pam_state == STATE_PAM_WRONG) {
+            if (auth_state == STATE_AUTH_WRONG) {
                 retry_verification = true;
                 return;
             }
@@ -601,6 +629,7 @@ void handle_screen_resize(void) {
  * Callback function for PAM. We only react on password request callbacks.
  *
  */
+#ifndef USE_BSDAUTH
 static int conv_callback(int num_msg, const struct pam_message **msg,
                          struct pam_response **resp, void *appdata_ptr) {
     if (num_msg == 0)
@@ -627,6 +656,7 @@ static int conv_callback(int num_msg, const struct pam
 
     return 0;
 }
+#endif /* !USE_BSDAUTH */
 
 /*
  * This callback is only a dummy, see xcb_prepare_cb and xcb_check_cb.
@@ -782,8 +812,10 @@ int main(int argc, char *argv[]) {
     struct passwd *pw;
     char *username;
     char *image_path = NULL;
+#ifndef USE_BSDAUTH
     int ret;
     struct pam_conv conv = {conv_callback, NULL};
+#endif /* !USE_BSDAUTH */
     int curs_choice = CURS_NONE;
     int o;
     int optind = 0;
@@ -877,17 +909,19 @@ int main(int argc, char *argv[]) {
      * the unlock indicator upon keypresses. */
     srand(time(NULL));
 
+#ifndef USE_BSDAUTH
     /* Initialize PAM */
     if ((ret = pam_start("i3lock", username, &conv, &pam_handle)) != PAM_SUCCESS)
         errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret));
 
     if ((ret = pam_set_item(pam_handle, PAM_TTY, getenv("DISPLAY"))) != PAM_SUCCESS)
         errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret));
+#endif /* !USE_BSDAUTH */
 
 /* Using mlock() as non-super-user seems only possible in Linux. Users of other
  * operating systems should use encrypted swap/no swap (or remove the ifdef and
  * run i3lock as super-user). */
-#if defined(__linux__)
+#if defined(__linux__) || defined(__OpenBSD__)
     /* Lock the area where we store the password in memory, we don’t want it to
      * be swapped to disk. Since Linux 2.6.9, this does not require any
      * privileges, just enough bytes in the RLIMIT_MEMLOCK limit. */
@@ -985,7 +1019,7 @@ int main(int argc, char *argv[]) {
     cursor = create_cursor(conn, screen, win, curs_choice);
 
     /* Display the "locking…" message while trying to grab the pointer/keyboard. */
-    pam_state = STATE_PAM_LOCK;
+    auth_state = STATE_AUTH_LOCK;
     grab_pointer_and_keyboard(conn, screen, cursor);
 
     pid_t pid = fork();
@@ -1012,7 +1046,7 @@ int main(int argc, char *argv[]) {
         errx(EXIT_FAILURE, "Could not initialize libev. Bad LIBEV_FLAGS?\n");
 
     /* Explicitly call the screen redraw in case "locking…" message was displayed */
-    pam_state = STATE_PAM_IDLE;
+    auth_state = STATE_AUTH_IDLE;
     redraw_screen();
 
     struct ev_io *xcb_watcher = calloc(sizeof(struct ev_io), 1);
